Meta is trying to come up with new ways to process large amounts of data while still protecting the privacy of people on its platforms. To that end, the company has started using a new Anonymous Credential Service (ACS) that is the result of collaboration between academia and the private sector.
In practice, the ACS is essentially an authentication service that can verify someone’s identity without needing to know any personal details. The solution relies on the exchange of tokens that can be used as secure authentication factors even after identifying information has been obscured. The two-phase authentication process begins when an end user sends a token request to a server through a secure channel. The user picks a ‘blinding factor’ to encode the token, and the server signs the token and sends it back to the user.
The second phase is the actual authentication, in which the user unblinds the signed token and sends it (instead of a user ID) for approval through an anonymous channel. The ACS uses a shared secret to confirm that the token is legitimate, and that the request is coming from an authentic source. The token generation process and the authentication process are completely separate to ensure that the data being processed has been distanced from the person that it belongs to.
According to Meta, the new solution is useful because it minimizes the computational burden on its servers. In that regard, the ACS is able to proactively de-identify data before it hits Meta’s servers, and requires less resources than the tech giant’s old system that de-identified and aggregated data after it had already been processed.
Meta also allows people to reuse tokens a set number of times before creating a new one to further reduce the strain on its data centers. However, the company requires a new token each time a user is authenticated for certain high-risk transactions. The ACS has now been deployed across several high-volume Meta applications, including WhatsApp, where it allows Meta to gather performance data that can be used to improve the app without collecting personal information from individual users.
ACS is built on top of a Twine foundation with C++ code. Meta itself has struggled with privacy in the past, most notably with the Cambridge Analytica scandal and its BIPA lawsuit in Illinois. In the former, the FTC fined Meta (then Facebook) $5 billion for sharing personal information with third parties without consent, while in the latter, the company paid $650 million to settle a suit that alleged that the company illegally gathered and stored biometric data from its users.
With that in mind, the ACS could give Meta a way to process data while mitigating its legal exposure in the wake of those high-profile (and expensive cases). The company has already decided to discontinue its facial recognition program in the wake of the BIPA settlement.